saml2: only allow local URLs as redirections (#43279)
This commit is contained in:
parent
66de9cdd5c
commit
05c1573e38
|
@ -18,6 +18,7 @@ from wcs.qommon.misc import get_lasso_server
|
|||
from wcs.qommon.saml2 import Saml2Directory
|
||||
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
|
||||
from wcs.qommon import sessions, x509utils
|
||||
from wcs.qommon.errors import RequestError
|
||||
from wcs.roles import Role
|
||||
|
||||
from utilities import get_app, create_temporary_pub, clean_temporary_pub
|
||||
|
@ -303,12 +304,21 @@ def test_assertion_consumer_redirect_after_url(pub):
|
|||
|
||||
def test_assertion_consumer_full_url_redirect_after_url(pub):
|
||||
req = get_assertion_consumer_request(pub)
|
||||
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
|
||||
req.form['RelayState'] = 'http://example.net/foobar/?test=ok'
|
||||
saml2 = Saml2Directory()
|
||||
saml_response_body = req.form['SAMLResponse']
|
||||
body = saml2.assertionConsumerPost()
|
||||
assert req.response.status_code == 303
|
||||
assert req.response.headers['location'] == 'http://example.org/foobar/?test=ok'
|
||||
assert req.response.headers['location'] == 'http://example.net/foobar/?test=ok'
|
||||
|
||||
|
||||
def test_assertion_consumer_external_url_redirect_after_url(pub):
|
||||
req = get_assertion_consumer_request(pub)
|
||||
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
|
||||
saml2 = Saml2Directory()
|
||||
saml_response_body = req.form['SAMLResponse']
|
||||
with pytest.raises(RequestError):
|
||||
body = saml2.assertionConsumerPost()
|
||||
|
||||
|
||||
def test_saml_login_page(pub):
|
||||
|
|
|
@ -355,6 +355,9 @@ class Saml2Directory(Directory):
|
|||
netloc = parsed_url.netloc or request.get_server()
|
||||
after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
|
||||
parsed_url.fragment))
|
||||
if not (after_url.startswith(get_publisher().get_backoffice_url()) or
|
||||
after_url.startswith(get_publisher().get_frontoffice_url())):
|
||||
raise errors.RequestError()
|
||||
else:
|
||||
after_url = get_publisher().get_frontoffice_url()
|
||||
response.set_status(303)
|
||||
|
|
Loading…
Reference in New Issue